I'm trying to set up AD integration. I have the checkbox enabled for AD Integration and the LDAP path set (which I pulled from our current ShoreTel 14.2 environment that is working). When I try to enable a user, it asks for a password, but I'm not sure what password it is asking for. And it says failed to connect to AD server.

I've tried using the ShoreTel admin guide but its not very helpful in this instance. Any suggestions? Thanks

TAC support finally got back to me and we installed the Windows feature of Windows Authentication and then enabled it in IIS once it was installed. I was using a test server for this which is why it wasn't already installed.

The domain can be set differently and there are also some options in the communicator you could try to see if it is working. Do you have a partner that you can create a ticket with? This is generally the kind of thing a partner could really assist with?

@Minion - those articles are for version 13.2 and 14.2 It seems ShoreTel Connect has changed up the way they do AD integration. I have opened a TAC case, but they've been very slow to respond.

@Romo, I tried integrating this from the server and still the same pop up. I type in the users domain\username and check the box for AD user. When I hit sync with AD, it brings up a box that says "Enter your AD password." Here I've tried typing in my user password but it then says failed. I'm not sure what password its needing here. This is not the same process as ShoreTel 14.2 and earlier.

So it seems like ShoreConnect is actually able to use my Windows credentials. What's not working I've found is the checkbox for "Use Windows Credentials." The SSO does not seem to be working. Any other suggestions? Thanks!

TAC support finally got back to me and we installed the Windows feature of Windows Authentication and then enabled it in IIS once it was installed. I was using a test server for this which is why it wasn't already installed.

Hey Grundy, thanks for coming back to me. I'm a complete noob to ShoreTel and could use just a little more detail.

Windows authentication has been enabled on the default web site.

AD integration does not work for logging on to ShoreTel Director or when using the Mitel Connect client. The ShoreTel server doesn't even send an LDAP query to a domain controlller (using Wireshark, nothing seen).

I can force LDAP queries and responses so I'm satisfied that the servers can communicate.

How I forced LDAP queries: 1) disable AD integration for the account, 2) log off ShoreTel Director, 3) log on using the local account, 4) add the domain\username info, 5) enable AD integration for the account, 6) click Save (while still logged on), 7) use the blue SHOW FROM AD button and enter the domain password.AD Data window appears and Wireshark shows a bind request to a domain controller and a 'success' response.

Sorry to treat you like Tech Support but the local yokels are saying that the only way integration will work is if we put their ShoreTel Director server into our domain. We don't want to do that; we want to use LDAP instead.

Anything you can add or any info you received from the TAC will be very welcome.

So the Show From AD and Sync From AD buttons were very misleading to me. We still get the password prompt and don't know what to type in there, however, if you just check the box for the user and type in domain\username, they were able to log in to the Connect Client using the Use Windows Credentials check box.

The only other setting configuration you need other than Windows Authentication is in Director to enable AD integration. Below is an example with a domain of Example.net and a top level OU in AD of ExOU

Excellent information Grundy as it confirms our configuration is in line with yours, but it still doesn't work. It looks like integration is broken in the later version version of Director we are running.

This gives us solid info to take back to Mitel.
Thanks for your help, much appreciated!

The ShoreTel Director server is not ours and isn't managed by us, so we didn't want it in the domain. Added to that there, is no information anywhere online from Mitel or the old ShoreTel, stating that this is a requirement for the integration to work.

Mitel TAC has now advised through the solution provider that the server must be in the domain for the integration to be supported, but we still have only an extract from an email which was forwarded to us. (We think its from the TAC)

The boss isn't happy that we weren't told of this requirement earlier in the selection process but here we are with no choice.

Having dealt with the likes of Cisco, Microsoft, other major vendors and many telco's, we are stunned that Mitel does not make this information readily available. They aren't a small company and they have a great reputation based on their own products out there. This situation looks very 'Michael Mouse' to us.

I've just added the server to the domain and look forwarding to testing AD Integration.

When we upgraded from ShoreTel 14.2 to Connect 21.90.4127.0 (November) we moved our Director and DVM Servers into the Domain and turned on Active Directory. It works for users to log into the Connect client, but the Show from AD and Sync from AD have never worked. "Show from AD" returns the "AD Data" pop-up window with "Name ShoreTel Value AD Value", but there is no user information in window. Sync returns "Failed to get data from Active Directory server."

3) in AD, your email address is _not_ the same as your userPrincipalName

When you try to make a lookup to AD, 'show from', or 'sync' Shoretel presents your 'client username' from its records as the AD username for the lookup and offers the password you are prompted for. However the initial AD sync of your account filled in the 'client username' value with your email address, so it fails to authenticate with AD.

Once you understand the problem, it is a fairly simple fix - have another admin perform the following steps on your account inside director (if you do it yourself you will get logged out halfway through and it is a faf)

1) remove the 'Active Directory User' tick and save the account - the 'client username' field is now editable.

Now when you log in and do a 'show from AD' Mitel will provide AD with your UPN and password, which is a valid way of authenticating, and return values. there, 2 minutes to fix, half a day sniffing data packets to diagnose

When you get the prompt for AD password, you need to use your current logged in user's AD password. Don't worry, it doesn't save it into the system, but just uses it to query AD and get the required info needed for the user you are changing.